-
Notifications
You must be signed in to change notification settings - Fork 4
638 lines (556 loc) · 31.7 KB
/
build-images.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
---
# desc: build container images, perform static tests then publish
name: build-images
on:
push:
branches:
- '**'
tags:
- keycloak-[0-9]+-[0-9]+-[0-9]+-[0-9]+-[0-9]+ # `keycloak-23-yyyy-mm-dd-xxx`: only keycloak 23
- '[0-9]+-[0-9]+-[0-9]+-[0-9]+' # `yyyy-mm-dd-xxx`: all keycloak versions
schedule:
- cron: 0 3 * * *
workflow_dispatch:
inputs:
notify_back_error_message:
description: \ Error message if retry was not successful. This parameter is used for internal call back actions.
required: false
default: ''
jobs:
triage:
runs-on: ubuntu-24.04
steps:
- name: Display notify_back_error_message if present
if: ${{ inputs.notify_back_error_message != '' }}
run: |
echo "A previous workflow failed but has attempted to retry: ${{ inputs.notify_back_error_message }}"
exit 1
list-keycloak-versions:
runs-on: ubuntu-24.04
needs:
- triage
outputs:
matrix_keycloak_versions: ${{ steps.set-matrix.outputs.matrix_keycloak_versions }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: List Keycloak Versions from repository's folders
id: set-matrix
run: |
: # if we release a specified version of keycloak, the matrix should only contain it
if [[ $GITHUB_REF =~ ^refs/tags/keycloak-([0-9]+)- ]]; then
keycloak_version=${BASH_REMATCH[1]}
matrix_json="[\"${keycloak_version}\"]"
else
: # List folders matching the pattern keycloak-*
: # Export the list as an output in JSON format
matrix_json=$(printf "%s\n" keycloak-*/ | sed 's/\/$//' | sed 's/keycloak-//' | jq -R -s -c 'split("\n")[:-1]')
fi
echo "matrix_keycloak_versions=${matrix_json}" >> "$GITHUB_OUTPUT"
echo "matrix_keycloak_versions=${matrix_json}"
build-image:
runs-on: ubuntu-24.04
outputs:
full_image_name: ${{ steps.compute-image-name-step.outputs.full_image_name }}
needs:
- list-keycloak-versions
strategy:
fail-fast: false # don't propagate failing jobs
matrix:
keycloak_version: ${{ fromJson(needs.list-keycloak-versions.outputs.matrix_keycloak_versions) }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Cache asdf installation
id: cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
with:
path: |
/home/runner/.asdf
key: ${{ runner.os }}-${{ runner.arch }}-tooling-${{ hashFiles('**/.tool-versions') }}
restore-keys: |
${{ runner.os }}-${{ runner.arch }}-tooling-
- name: Install tooling using asdf
uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3
- name: Import secrets
uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0
id: secrets
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
exportEnv: false
secrets: |
secret/data/products/infrastructure-experience/ci/common MACHINE_PWD;
secret/data/products/infrastructure-experience/ci/common MACHINE_USR;
secret/data/products/infrastructure-experience/ci/common DOCKERHUB_USER;
secret/data/products/infrastructure-experience/ci/common DOCKERHUB_PASSWORD;
- name: Login to the dockerhub registry # prevents pull limit rate
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ${{ vars.CONTAINER_REGISTRY }}
username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}
- name: Compute build image variables
id: compute-build-image-name-step
run: |
keycloak_full_version=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile \
| awk -F'[:=]' '{print $NF}' \
| tr -d '"' \
| awk -F'[:/-]' '{print $1}' \
|| { echo "Error: Image tag $1 not found in Dockerfile"; exit 1; })
echo "keycloak_full_version=${keycloak_full_version}"
- name: Build image using Camunda docker build
id: build-image-step
uses: camunda/infra-global-github-actions/build-docker-image@d77000545c7ea9403f90bf2eedbe052ff9656873 # main
with:
registry_host: ${{ vars.CONTAINER_REGISTRY_CI }}
registry_username: ${{ steps.secrets.outputs.MACHINE_USR }}
registry_password: ${{ steps.secrets.outputs.MACHINE_PWD }}
force_push: true
image_name: ${{ vars.CONTAINER_IMAGE_NAME_CI }}
build_context: ./keycloak-${{ matrix.keycloak_version }}/
build_platforms: linux/amd64,linux/arm64
extra_tags: | # the ci- prefix ensures a build context, this image is treated as "temporary"
type=sha,enable=true,priority=1000,prefix=ci-${{ matrix.keycloak_version }}-sha-,suffix=,format=short
- name: Compute target built image fully qualified name from metadata
id: compute-image-name-step
run: |
image_metadata='${{ steps.build-image-step.outputs.image_metadata }}'
image_name=$(echo "${image_metadata}" | tr -d '\n' | jq -r '."image.name"' | tr ',' '\n' | head -n 1 | tr -d ' ')
digest=$(echo "${image_metadata}" | tr -d '\n' | jq -r '."containerimage.digest"')
full_image_name="${image_name}@${digest}"
echo "full_image_name=${full_image_name}" >> "$GITHUB_OUTPUT"
echo "$full_image_name"
## Write for matrix outputs workaround
- uses: cloudposse/github-action-matrix-outputs-write@ed06cf3a6bf23b8dce36d1cf0d63123885bb8375 # v1
id: out
with:
matrix-step-name: ${{ github.job }}
matrix-key: ${{ matrix.keycloak_version }}
outputs: |-
full_image_name: ${{ steps.compute-image-name-step.outputs.full_image_name }}
## Read matrix outputs
read-build-image-output:
runs-on: ubuntu-24.04
needs: [build-image]
steps:
- uses: cloudposse/github-action-matrix-outputs-read@33cac12fa9282a7230a418d859b93fdbc4f27b5a # v1
id: read
with:
matrix-step-name: build-image
outputs:
result: ${{ steps.read.outputs.result }}
test-base-image:
runs-on: ubuntu-24.04
needs:
- list-keycloak-versions
- build-image
- read-build-image-output
strategy:
fail-fast: false # don't propagate failing jobs
matrix:
keycloak_version: ${{ fromJson(needs.list-keycloak-versions.outputs.matrix_keycloak_versions) }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Cache asdf installation
id: cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
with:
path: |
/home/runner/.asdf
key: ${{ runner.os }}-${{ runner.arch }}-tooling-${{ hashFiles('**/.tool-versions') }}
restore-keys: |
${{ runner.os }}-${{ runner.arch }}-tooling-
- name: Install tooling using asdf
uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3
- name: Set Keycloak Image Name
id: set-keycloak-image-name
shell: bash
run: |
keycloak_image_name="${{ fromJson(needs.read-build-image-output.outputs.result).full_image_name[matrix.keycloak_version] }}"
echo "keycloak_image_name=${keycloak_image_name}" >> "$GITHUB_ENV"
echo "keycloak_image_name=${keycloak_image_name}"
- name: Import secrets
uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0
id: secrets
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
exportEnv: false
secrets: |
secret/data/products/infrastructure-experience/ci/common MACHINE_PWD;
secret/data/products/infrastructure-experience/ci/common MACHINE_USR;
- name: Login to the registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ${{ vars.CONTAINER_REGISTRY_CI }}
username: ${{ steps.secrets.outputs.MACHINE_USR }}
password: ${{ steps.secrets.outputs.MACHINE_PWD }}
- name: KeyCloak Show-Config
run: |
docker run "${{ env.keycloak_image_name }}" /opt/bitnami/keycloak/bin/kc.sh show-config >> docker.log
echo "config=$(< docker.log tr '\n' ' ')" >> "$GITHUB_ENV"
- name: Assert Config
env:
CONFIG: ${{ env.config }}
run: python3 ./.github/scripts/build-check/main.py
test-postgres-integ:
strategy:
fail-fast: false # don't propagate failing jobs
matrix:
runner_desc:
- runner: ubuntu-24.04
postgres_replicas: 1
keycloak_jdbc_driver: postgresql
keycloak_db_driver: org.postgresql.Driver
keycloak_db_host_template: postgres
keycloak_db_jdbc_query: ''
keycloak_db_port: '5432'
- runner: aws-core-2-default
postgres_replicas: 0
keycloak_jdbc_driver: aws-wrapper:postgresql
keycloak_db_driver: software.amazon.jdbc.Driver
keycloak_db_host_template: camunda-ci-eks-aurora-postgresql-{{ postgres_version }}.cluster-clnwzia8ptad.eu-central-1.rds.amazonaws.com
keycloak_db_jdbc_query: wrapperPlugins=iam&ssl=true&sslmode=require
keycloak_db_port: '5432'
- runner: aws-arm-core-2-default
postgres_replicas: 0
keycloak_jdbc_driver: aws-wrapper:postgresql
keycloak_db_driver: software.amazon.jdbc.Driver
keycloak_db_host_template: camunda-ci-eks-aurora-postgresql-{{ postgres_version }}.cluster-clnwzia8ptad.eu-central-1.rds.amazonaws.com
keycloak_db_jdbc_query: wrapperPlugins=iam&ssl=true&sslmode=require
keycloak_db_port: '5432'
# Add the gcp runner when GCloud SQL is available
# GCloud SQL is not tested yet as we don't have a dedicated db
keycloak_version: ${{ fromJson(needs.list-keycloak-versions.outputs.matrix_keycloak_versions) }}
runs-on: ${{ matrix.runner_desc.runner }}
needs:
- list-keycloak-versions
- build-image
- read-build-image-output
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Install build-essentials for asdf
run: |
sudo apt-get update
sudo apt-get install -y build-essential git libexpat1-dev libssl-dev zlib1g-dev \
libncurses5-dev libbz2-dev liblzma-dev \
libsqlite3-dev libffi-dev tcl-dev linux-headers-generic libgdbm-dev \
libreadline-dev tk tk-dev
- name: Cache asdf installation
id: cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
with:
path: |
/home/runner/.asdf
key: ${{ runner.os }}-${{ runner.arch }}-tooling-${{ hashFiles('**/.tool-versions') }}
restore-keys: |
${{ runner.os }}-${{ runner.arch }}-tooling-
- name: Install tooling using asdf
uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3
- name: Set Keycloak Image Name
id: set-keycloak-image-name
shell: bash
run: |
keycloak_image_name="${{ fromJson(needs.read-build-image-output.outputs.result).full_image_name[matrix.keycloak_version] }}"
echo "keycloak_image_name=${keycloak_image_name}" >> "$GITHUB_ENV"
echo "keycloak_image_name=${keycloak_image_name}"
- name: Import secrets
uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0
id: secrets
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
exportEnv: true
secrets: |
secret/data/products/infrastructure-experience/ci/common MACHINE_PWD;
secret/data/products/infrastructure-experience/ci/common MACHINE_USR;
secret/data/products/infrastructure-experience/ci/common AURORA_POSTGRESQL_PASSWORD | postgres_superuser_password;
secret/data/products/infrastructure-experience/ci/common AURORA_POSTGRESQL_USERNAME | postgres_superuser;
secret/data/products/infrastructure-experience/ci/common DOCKERHUB_USER;
secret/data/products/infrastructure-experience/ci/common DOCKERHUB_PASSWORD;
- name: Login to the dockerhub registry # prevents pull limit rate
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ${{ vars.CONTAINER_REGISTRY }}
username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}
- name: Login to the registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ${{ vars.CONTAINER_REGISTRY_CI }}
username: ${{ steps.secrets.outputs.MACHINE_USR }}
password: ${{ steps.secrets.outputs.MACHINE_PWD }}
- name: Compute AWS variables
if: startsWith(matrix.runner_desc.runner, 'aws')
run: |
: # aws aurora superuser is only used for bootstrapping a standard user that will auth using irsa
echo "postgres_user=keycloak-irsa" | tee -a "$GITHUB_ENV"
echo "postgres_password=" | tee -a "$GITHUB_ENV"
echo "compose_keycloak_volume_1=$AWS_WEB_IDENTITY_TOKEN_FILE:$AWS_WEB_IDENTITY_TOKEN_FILE" >> "$GITHUB_ENV"
: # export AWS variables
echo "AWS_STS_REGIONAL_ENDPOINTS=$AWS_STS_REGIONAL_ENDPOINTS" >> "$GITHUB_ENV"
echo "AWS_STS_REGIONAL_ENDPOINTS=${AWS_STS_REGIONAL_ENDPOINTS}"
echo "AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION" >> "$GITHUB_ENV"
echo "AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}"
echo "AWS_REGION=$AWS_REGION" >> "$GITHUB_ENV"
echo "AWS_REGION=${AWS_REGION}"
echo "AWS_ROLE_ARN=$AWS_ROLE_ARN" >> "$GITHUB_ENV"
echo "AWS_ROLE_ARN=${AWS_ROLE_ARN}"
echo "AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE" >> "$GITHUB_ENV"
echo "AWS_WEB_IDENTITY_TOKEN_FILE=${AWS_WEB_IDENTITY_TOKEN_FILE}"
- name: Compute Ubuntu variables
if: startsWith(matrix.runner_desc.runner, 'ubuntu')
run: |
: # we use plain values that will be used by the postgres container
echo "postgres_user=keycloak" | tee -a "$GITHUB_ENV"
echo "postgres_password=password" | tee -a "$GITHUB_ENV"
- name: Declare test recipe variables
shell: bash
run: |
if (( "${{ matrix.runner_desc.postgres_replicas }}" < 1 )); then
echo "compose_keycloak_depends_on=" >> "$GITHUB_ENV"
else
echo "compose_keycloak_depends_on=postgres" >> "$GITHUB_ENV"
fi
: # ensure uniqueness of the db name
uuid="$(cat /proc/sys/kernel/random/uuid)"
postgres_database="infex-keycloak-db-${uuid}-${{ github.sha }}"
echo "postgres_database=${postgres_database}" | tee -a "$GITHUB_ENV"
: # get the postgres version to test
keycloak_version_git="$(echo '${{ matrix.keycloak_version }}' | sed -E 's/^([0-9]+)\.?(.*)$/\1.0/g')" # make sure to have a major.0 format
postgres_version=$(
curl -s "https://raw.githubusercontent.com/keycloak/keycloak/release/${keycloak_version_git}/pom.xml" \
| awk -F'[><]' '/<postgresql.version>/{print $3}'
)
echo "postgres_version=${postgres_version}" >> "$GITHUB_ENV"
echo "postgres_version=${postgres_version}"
: # apply template on the address
postgres_host=$(echo "${{ matrix.runner_desc.keycloak_db_host_template }}" | sed "s/{{ postgres_version }}/${postgres_version}/g")
echo "postgres_host=${postgres_host}" >> "$GITHUB_ENV"
echo "postgres_host=${postgres_host}"
# The self-hosted runner doesn't provide a postgres client and the prerequisites for make,
# so we need to install them manually
- name: Install required packages
run: sudo apt-get update && sudo apt-get install -y build-essential postgresql-client
- name: Tear up Aurora PG (aws only)
if: startsWith(matrix.runner_desc.runner, 'aws')
run: ./.helpers/actions/create_aurora_pg_db.sh
env:
PGDATABASE: ${{ env.postgres_database }}
PGHOST: ${{ env.postgres_host }}
PGPORT: ${{ matrix.runner_desc.keycloak_db_port }}
PGPASSWORD: ${{ env.postgres_superuser_password }}
PGUSER: ${{ env.postgres_superuser }}
PGUSER_IRSA: ${{ env.postgres_user }}
- name: Generate a db auth token using aws for simple psql db connection test (aws only)
if: startsWith(matrix.runner_desc.runner, 'aws')
shell: bash
run: |
: # We generate a db auth token using the aws cli because IRSA access in Keycloak might not be easy to debug.
: # This token will be used in the "Test psql db connection" step, and then it will be reset for the Keycloak integration test.
: # The aws command uses the environment variables provided by the runner
AWS_PG_PASSWORD="$(aws rds generate-db-auth-token --hostname ${{ env.postgres_host }} \
--port ${{ matrix.runner_desc.keycloak_db_port }} --region ${{ env.AWS_REGION }} --username ${{ env.postgres_user }})"
echo "postgres_password=${AWS_PG_PASSWORD}" >> "$GITHUB_ENV"
- name: Test psql db connection (for external db only)
if: ${{ matrix.runner_desc.postgres_replicas == 0 }}
shell: bash
run: |
: # Perform a simple psql connection test to ensure the database can be reached.
: # The psql command provides clear and simple error messages compared to jdbc,
: # which is why we perform this step.
PGPASSWORD="${{ env.postgres_password }}"
export PGPASSWORD
psql -h "${{ env.postgres_host }}" -p "${{ matrix.runner_desc.keycloak_db_port }}" \
"dbname=${{ env.postgres_database }} user=${{ env.postgres_user }}" -c 'SELECT version();'
- name: Reset postgres_password for IRSA connection (aws only)
if: startsWith(matrix.runner_desc.runner, 'aws')
shell: bash
run: |
: # For AWS IRSA connection, we don't use password-based authentication.
: # Since a password was generated in the previous steps, we need to ensure it is empty.
echo "postgres_password=" >> "$GITHUB_ENV"
- name: Start Test Environment
uses: ./.github/actions/compose
with:
project_name: keycloak
env:
POSTGRES_DB: ${{ env.postgres_database }}
POSTGRES_USER: ${{ env.postgres_user }}
POSTGRES_PASSWORD: ${{ env.postgres_password }}
KEYCLOAK_DATABASE_USER: ${{ env.postgres_user }}
KEYCLOAK_DATABASE_PASSWORD: ${{ env.postgres_password }}
KEYCLOAK_DATABASE_NAME: ${{ env.postgres_database }}
KEYCLOAK_DATABASE_HOST: ${{ env.postgres_host }}
KEYCLOAK_DATABASE_PORT: ${{ matrix.runner_desc.keycloak_db_port }}
KEYCLOAK_JDBC_DRIVER: ${{ matrix.runner_desc.keycloak_jdbc_driver }}
KEYCLOAK_JDBC_PARAMS: ${{ matrix.runner_desc.keycloak_db_jdbc_query }}
KC_DB_DRIVER: ${{ matrix.runner_desc.keycloak_db_driver }}
KEYCLOAK_LOG_LEVEL: INFO,software.amazon.jdbc:INFO
COMPOSE_POSTGRES_IMAGE: docker.io/postgres:${{ env.postgres_version }}
COMPOSE_POSTGRES_DEPLOY_REPLICAS: ${{ matrix.runner_desc.postgres_replicas }}
COMPOSE_KEYCLOAK_DEPENDS_ON: ${{ env.compose_keycloak_depends_on }}
COMPOSE_KEYCLOAK_VOLUME_1: ${{ env.compose_keycloak_volume_1 || '/dev/null:/dummynull1' }}
COMPOSE_KEYCLOAK_IMAGE: ${{ env.keycloak_image_name }}
# AWS specific variables to forward,
# see https://confluence.camunda.com/pages/viewpage.action?pageId=178590693#IAMRolesforServiceAccountsTesting(IRSA)-EnvironmentVariables
AWS_STS_REGIONAL_ENDPOINTS: ${{ env.AWS_STS_REGIONAL_ENDPOINTS }}
AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }}
AWS_REGION: ${{ env.AWS_REGION }}
AWS_ROLE_ARN: ${{ env.AWS_ROLE_ARN }}
AWS_WEB_IDENTITY_TOKEN_FILE: ${{ env.AWS_WEB_IDENTITY_TOKEN_FILE }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r ./.github/scripts/integration/requirements.txt
- name: Test Environment
run: python3 ./.github/scripts/integration/main.py
- name: Tear down Aurora PG (aws only)
if: startsWith(matrix.runner_desc.runner, 'aws') && always()
run: ./.helpers/actions/delete_aurora_pg_db.sh
env:
PGDATABASE: ${{ env.postgres_database }}
PGHOST: ${{ env.postgres_host }}
PGPORT: ${{ matrix.runner_desc.keycloak_db_port }}
PGPASSWORD: ${{ env.postgres_superuser_password }}
PGUSER: ${{ env.postgres_superuser }}
publish-image:
runs-on: ubuntu-24.04
# to release all versions of keycloak, tag it using the date (e.g.: `2024-03-10-001`)
# to release only one version keycloak, tag it using the date prefixed by the version of keycloak (e.g.: `keycloak-23-2024-03-10-001`)
if: startsWith(github.ref, 'refs/tags')
strategy:
fail-fast: false # don't propagate failing jobs
matrix:
keycloak_version: ${{ fromJson(needs.list-keycloak-versions.outputs.matrix_keycloak_versions) }}
needs:
- read-build-image-output
- list-keycloak-versions
- test-postgres-integ
- test-base-image
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Install if required common software tooling
uses: camunda/infra-global-github-actions/common-tooling@d77000545c7ea9403f90bf2eedbe052ff9656873 # main
with:
node-enabled: false
java-enabled: false
yarn-enabled: false
python-enabled: false
buildx-install: true
- name: Cache asdf installation
id: cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
with:
path: |
/home/runner/.asdf
key: ${{ runner.os }}-${{ runner.arch }}-tooling-${{ hashFiles('**/.tool-versions') }}
restore-keys: |
${{ runner.os }}-${{ runner.arch }}-tooling-
- name: Install tooling using asdf
uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3
- name: Import secrets
uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0
id: secrets
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
exportEnv: false
secrets: |
secret/data/products/infrastructure-experience/ci/common MACHINE_PWD;
secret/data/products/infrastructure-experience/ci/common MACHINE_USR;
secret/data/products/infrastructure-experience/ci/common DOCKERHUB_USER;
secret/data/products/infrastructure-experience/ci/common DOCKERHUB_PASSWORD;
- name: Login to the registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ${{ vars.CONTAINER_REGISTRY_CI }}
username: ${{ steps.secrets.outputs.MACHINE_USR }}
password: ${{ steps.secrets.outputs.MACHINE_PWD }}
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ${{ vars.CONTAINER_REGISTRY }}
username: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}
- name: Set Keycloak Version
id: set-keycloak-version
run: |
keycloak_image_name="${{ fromJson(needs.read-build-image-output.outputs.result).full_image_name[matrix.keycloak_version] }}"
echo "keycloak_image_name=${keycloak_image_name}" >> "$GITHUB_ENV"
echo "keycloak_image_name=${keycloak_image_name}"
dockerhub_target_name="${{ vars.CONTAINER_REGISTRY }}/${{ vars.CONTAINER_IMAGE_NAME }}"
echo "dockerhub_target_name=${dockerhub_target_name}" >> "$GITHUB_ENV"
echo "dockerhub_target_name=${dockerhub_target_name}"
- name: Pull built image
run: |
docker pull "${{ env.keycloak_image_name }}"
- name: Retag and push the image
shell: bash
run: |
: # extract the base image tag to use it as base tag
base_image_tag=$(grep "ARG BASE_IMAGE_NAME=.*$1" keycloak-${{ matrix.keycloak_version }}/Dockerfile \
| awk -F'[:=]' '{print $NF}' \
| tr -d '"' \
|| { echo "Error: Image tag $1 not found in Dockerfile"; exit 1; })
echo "base_image_tag=${base_image_tag}"
: # version of keycloak (e.g.: 23.0.1)
semver_tag=$(echo "${base_image_tag}" | awk -F'-' '{print $1}')
: # remove keycloak- prefix
suffix_version=$(echo '${{ github.ref_name }}' | sed 's/keycloak-[0-9]*-//')
docker buildx imagetools create -t "${{ env.dockerhub_target_name }}:${{ matrix.keycloak_version }}" "${{ env.keycloak_image_name }}"
docker buildx imagetools create -t "${{ env.dockerhub_target_name }}:${base_image_tag}" "${{ env.keycloak_image_name }}"
docker buildx imagetools create -t "${{ env.dockerhub_target_name }}:${base_image_tag}-${suffix_version}" "${{ env.keycloak_image_name }}"
docker buildx imagetools create -t "${{ env.dockerhub_target_name }}:${semver_tag}" "${{ env.keycloak_image_name }}"
if [ "$(./.github/scripts/utils/find_latest_keycloak.sh)" = "${{ matrix.keycloak_version }}" ]; then
docker buildx imagetools create -t "${{ env.dockerhub_target_name }}:latest" "${{ env.keycloak_image_name }}"
fi
# Rerun failed jobs running on self-hosted runners in case of network issues or node preemption
rerun-failed-jobs:
needs:
- test-postgres-integ
if: failure() && fromJSON(github.run_attempt) < 3 && inputs.notify_back_error_message == ''
runs-on: ubuntu-latest
steps:
- name: Retrigger job
uses: camunda/infra-global-github-actions/rerun-failed-run@d77000545c7ea9403f90bf2eedbe052ff9656873 # main
with:
error-messages: |
lost communication with the server
The runner has received a shutdown signal
run-id: ${{ github.run_id }}
repository: ${{ github.repository }}
vault-addr: ${{ secrets.VAULT_ADDR }}
vault-role-id: ${{ secrets.VAULT_ROLE_ID }}
vault-secret-id: ${{ secrets.VAULT_SECRET_ID }}
notify-back-on-error: 'true'
notify-on-failure:
runs-on: ubuntu-latest
if: failure() && (fromJSON(github.run_attempt) >= 3 || inputs.notify_back_error_message != '') && github.event_name == 'schedule'
needs:
- publish-image
- read-build-image-output
- list-keycloak-versions
- test-postgres-integ
- test-base-image
- rerun-failed-jobs
steps:
- name: Notify in Slack in case of failure
id: slack-notification
uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@08c796604f9b08614df763b333833dd1bdc037c0 # 1.2.11
with:
vault_addr: ${{ secrets.VAULT_ADDR }}
vault_role_id: ${{ secrets.VAULT_ROLE_ID }}
vault_secret_id: ${{ secrets.VAULT_SECRET_ID }}